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(54) SPAM detector with challenges 

(57) A system and method facilitating detection of 
unsolicited e-mail message(s) with challenges is provid- 
ed. The invention Includes an e-mail component and a 
challenge component. The system can receivs e-maii 
message(s) and associated probabilities that the e-mail 
message(s) are spam. Based, at least in part, upon the 
associated probability, the system can send a challenge 



to a sender of an e-mail message. The challenge can 
be an embedded code, computational challenge, hu- 
man challenge and/or micropayment request. Based, at 
least In part, upon a response to the challenge (or lack 
of response), the challenge component can modify the 
associated probability and/or delete the e-mail mes- 
sage. 
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Description 
TECHNICAL FIELD 

[0001] The present Invention relates generally to elec- 
tronic mall (e-mail) and more particularly to a system 
and method employing unsolicited e-mali (spam) detec- 
tion with challenges. 

BACKGROUND OF THE INVENTION 

[0002] Electronic messaging, particularly electronic 
mall ("e-mali") canried over the Intemet, is rapidly be- 
coming not only pervasive in society but also, given its 
infomiality, ease of use and low cost, a pref en-ed mode 
of communication for many individuals and organiza- 
tions. 

[0003] Unfortunately, as has occurred with more tra- 
ditional fomns of communication (e.^., postal mail and 
telephone), e-mail recipients are increasingly being sub- 
jected to unsolicited mass mailings. With the explosion, 
particularly in the last few years, of Internet-based com- 
merce, a wide and growing variety of electronic mer- 
chandisers is repeatedly sending unsolicited mail adver- 
tising their products and services to an ever expanding 
universe of e-mail recipients. Most consumers that order 
products orothenvise transact with a merchant over the 
internet expect to and, in fact, regularly receive such 
merchant solicitations. However, electronic mailers are 
continually expanding their distribution lists to penetrate 
deeper into society in order to reach ever increasing 
numbers of recipients. For example, recipients who 
merely provide their e-mail addresses in response to 
perhaps innocuous appearing requests for visitor infor- 
mation generated by various web sites, often find, later 
upon receipt of unsolicited mail and much to their dis- 
pleasure, that they have been included on electronic dis- 
tribution lists. This occurs without the Icnowledge, let 
alone the assent, of the recipients. Moreover, as with 
postal direct mail lists, an electronic mailer will often dis- 
seminate its distribution list, whether by sale, lease or 
othenvise. to another such mailer, and so forth with sub- 
sequent mailers. Consequently, overtime, e-mail recip- 
ients often find themselves ban'aged by unsolicited mail 
resulting from separate distribution lists maintained by 
a wide and increasing variety of mass mailers. Though 
certain avenues exist, based on mutual cooperation 
throughout the direct mall industry, through which an in- 
dividual can request that hls(her) name be removed 
from most direct mail postal fists, no such mechanism 
exists among electronic mailers. 
[0004] Once a recipient finds him(her)self on an elec- 
tronic mailing list, that individual can not readily, if at all, 
remove his(her) address from it, thus effectively guar- 
anteeing that he(she) will continue to receive unsolicited i 
mail - often in increasing amounts from that list and of- 
tentimes other lists as well. This occurs simply because 
the sender either prevents a recipient of a message from 



identifying the sender of that message (such as by send- 
ing maO through a proxy server) and hence precludes 
the recipient from contacting the sender In an attempt 
to be excluded from a distribution list, or simply ignores 
5 any request previously received from the recipient to be 
so excluded. 

[0005] An individual can easQy receive hundreds of 
unsolicited postal mall messages over the course of a 
year, or less. By contrast, given the ease and insignifl- 

10 cantcostthrough which e-distribution listscan be readily 
exchanged and e-mail messages disseminated across 
targe numbers of addressees, a single e-mail addressee 
Included on several distribution lists can expect to re- 
ceive a considerably larger number of unsolicited mes- 

15 sages over a much shorter period of time. Furthennore, 
while many unsolicited e-mail messages {e.g., offers for 
discount office or computer supplies or invitations to at- 
tend conferences of one type or another) are benign; 
others, such as pomographlc, Inflammatory and abu- 

?o slve material, can be highly offensive to certain recipi- 
ents. 

[0006] Unsolicited e-mail messages are commonly 
refen-ed to as "spam". Simllarto the task of handling junk 
postal mail, an e-mail recipient must sift through his(her) 
incoming mail to remove spam. Unfortunately, the 
choice of whether a given e-mail message Is spam or 
not Is highly dependent on the particular recipient and 
content of the message - what may be spam to one re- 
cipient may not be so to another Frequently, an elec- 

o tronte mailer will prepare a message such that its true 
content is not apparent from its subject line and can only 
be discemed from reading the body of the message. 
Hence, the recipient often has the unenviable task of 
reading through each and every message he(she) re- 

5 ceh^es on any given day, rather than just scanning its 
subject line, to fully remove spam messages. Needless 
to say, such filtering (often manually-based) can be a 
laborious, time-consuming task. 
[0007] In an effort to automate the task of detecting 

' abusive newsgroup messages (so-called "flames"), the 

• art teaches an approach of classifying newsgroup mes- 
sages through a mle-based text classifier. See, E. Sper- 
tus "Smokey: Automatic Recognition of Hostile Messag- 
es". Proceedings of the Conference on Innovative Ap- 

^ plications In Artificial Intelligence (lAAl) . 1 997. Here, se- 
mantic and syntactic textual classification features are 
first determined by feeding an appropriate corpus of 
newsgroup messages, as a training set, through a prob- 
abilistic decision tree generator. Given handcrafted 

> classifications of each of these messages as being a 
"flame" or not, the generator delineates specific textual 
features that, if present or not In a message, can predict 
whether, as a rule, the message is a flame or not Those 
features that correctly predict the nature of the message 
with a sufficiently high probability are then selected for 
subsequent use. Thereafter, to classify an Incoming 
message, each sentence in that message Is processed 
to yield a muW-element (ag., 47 element) feature vector. 
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with each element simply signifying the presence or ab- 
sence of a different feature in that sentence. The feature 
vectors of ail sentences in the message are then 
summed to yield a message feature vector (for the entire 
message). The message feature vector is then evaluat- s 
ed through coTesponding rules produced by the deci- 
sion tree generator to assess, given a combination and 
number of features that are present or not In the entire 
message, whether that message is either a flame or not. 
For example, as one semantic feature, the author no- io 
ticed that phrases having the word "you" modified by a 
certain noun phrase, such as "you people", "you bozos", 
"you flamers", tend to be insulting. An exception Is the 
phrase "y^u guys" which, in use, is rarely insulting. 
Therefore, one feature is whether any of these former ^5 
word phrases exist The associated rule is that, if such 
a phrase exists, the sentence is Insulting and the mes- 
sage is a flame. Another fearture is the presence of the 
word "thanl^, "please" or phrasal constructs having the 
word "would" (as In: "Would you be willing to e-mail me 20 
your logo") but not the words "no thanks". If any such 
phrases or words ere present (with the exception of "no 
thanks"), an associated rule, which the author refers to 
as the "politeness ru!e" categorizes the message as po- 
lite and hence not a flame. With some exceptions, the 25 
rules used in this approach are not site-specific, that is, 
forthe most partthey use the same features and operate 
in the same manner regardless of the addressee being 
mailed. 

[0D08] A mie based textual e-mail classifier, here spe- 30 
cificaliy one involving learned "keyword-spotting rules", 
is described In W. W. Cohen, "Learning Rules that Clas- 
sify E-mair, 1 996 AAAI Spring Symposium on l\/lachlne 
Learning in Information Access, 1996 (hereinafter the 
"Cohen" publication), in this approach, a set of e-mail 35 
messages previously classified Into different categories 
is provided as input to the system. Rules are then 
leamed from this set In orderto classify Incoming e-mail 
messages Into the various categories. While this meth- 
od does involve a learning component that allows for "to 
automatic generation of rules, these mles simply make 
yes/no distinctions for classification of e-mail messages 
into different categories without providing any confi- 
dence measure for a given prediction. Moreover, in this 
work, the actual problem of spam detection was not ad- 
dressed, in this regard, mie-based classifiers suffer var- 
ious serious deficiencies which, in practice, would se- 
verely limit their use in spam detection. Rrst, existing 
spam detection systems require users to manually con- 
struct appropriate rules to distinguish between legitl- so 
mate mail and spam. Most recipients will not bother to 
undertake such laborious tasks. As noted above, an as- 
sessment of whether a particular e-mail message Is 
spam or not can be rather subjective with its recipient. 
What is spam to one recipient may, for another, not be. ss 
Furthermore, non-spam mail varies significantly from 
person to person. Therefore, for a rule based-classifier 
to exhibit acceptable perforniance in filtering most spam 



from an Incoming mall stream, the recipient must con- 
struct and program a set of classification mles that ac- 
curately distinguishes between what constitutes spam 
and what constitutes non-spam (legitimate) eHmail. 
Property doing so can be an extremely complex, tedious 
and time-consuming task even for a highly experienced 
and knowledgeable computer user. 
[0009] Second, tfie characteristics of spam and non- 
spam e-nnail may change significantly over time; rule- 
based classifiers are static (unless the user is constantiy 
willing to make changes to the rules). Accordingly, mass 
e-mail senders routinely modify content of their messag- 
es in a continual attempt to prevent ("outwit") recipients 
from initially recognizing these messages as spam and 
then discarding those messages without fully reading 
them. Thus, unless a recipient Is willing to continuaiiy 
construct new rules or update existing rules to track 
changes to spam (as that recipient perceives such 
changes), then, over time, a rule-based classifier be- 
comes increasingly inaccurate at distinguishing spam 
from desired (non-spam) e-mail for that recipient, there- 
by further diminishing utility of the classifier and frustrat- 
ing the user/recipient. 

[0010] Alternatively, a user might consider employing 
a method for teaming nJles (as In the Cohen publication) 
from their existing spam In order to adapt, over time, to 
changes in an incoming e-mail stream. Here, the prob- 
lems of a rule-based approach are more clearly high- 
lighted. Rules are based on logical expressions; hence, 
as noted above, rules simply yield yes/no distinctions 
regarding the classification for a given e-mail message. 
Problematically, such mles provide no level of confi- 
dence for their predictions. 

Inasmuch as users may have various tolerances as to 
how aggressive they would want to filter their e-mail to 
remove spam, then, In an application such as detecting 
spam, rule-based classification would become rather 
problematic. For example, a conservative user may re- 
quire that the system be very confident that a message 
is spam before discarding it, whereas another user 
many not be so cautious. Such varying degrees of user 
precaution cannot be easily Incorporated into a rule- 
based system such as that described In the Cohen pub- 
lication. 

SUMMARY OF THE INVENTiON 

IP011] The following presents a simplified summary 
of the invention In order to provide a basic understand- 
ing of some aspects of the invention. This summary is 
not an extensive overview of the invention. It is not in- 
tended to identify key/critical elements of the invention 
or to delineate the scope of the invention. Its sole pur- 
pose is to present some concepts of the invention in a 
simplified torn as a prelude to the more detailed de- 
scription that is presented later. 
[0012] The present Invention provides for a system for 
detection of unsolicited messages (e.p., e-mail). The 
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system includes an e-mail component and a challenge 
component The system can receive message(s) and 
associated probabilities that the message(s) are spam. 
Based, at least in part, upon the associated probability 
the system can send a challenge to a sender of a mes- 
sage. The e-mall component can store message(s) and 
associated probabilities that the messages are spam. In 
one example, e-mail message(s) are stored with differ- 
ent attributes, such as folder name, based on associat- 
ed probabilities that the email message(s) are spam. In 
another example, e-mail message(s) having associated 
pmbabllities less than or equal to a first threshold are 
stored in a legitimate e- mall folder while e-mail mes- 
8age(s) having associated probabilities greater than the 
first threshold are stored in a spam folder. In yet another 
implementation of the invention, e- mail message(s) 
having associated probabilities Less than or equal to a 
first threshold are stored in a legitimate e-mail folder, e- 
maii message(s] having associated probabilities greater 
than the first threshold, but less than or equal to a sec- 
ond threshold are stored in a questionable spam folder. 
Those e-mail me8sage(s) having associated probabili- 
ties greater than the second threshold are stored in a 
spam folder. It is to be appreciated thatthe first threshold 
and/or the second threshold can be fixed, based on user 
preference(s) and/or adaptive {e.g., based, at least in 
part, upon available computational resources). 
[0013] it will be appreciated that numbers other than 
probabilities, such as the score from a Support Vector 
Machine, a neural network, etc, can serve the same pur- 
pose as probabilities - In general, the numeric output of 
any machine learning algorithm can be used in place of 
a probability in accordance v^'th an aspect of the present 
invention. Similariy, some machine learning algorithms, 
such as decision trees, output categorical infomiation, 
and this too can be used in place of a probability com- 
bined with a threshold. 

[0014] The challenge component can send a chal- 
lenge to a sender of an e-mail message having an as- 
sociated probability greater than a first threshold. For 
example, the challenge can be based, at least in part, 
upon a code embedded within the challenge fe.gf., al- 
phanumeric code). In responding to the challenge, the 
sender of the e-mall can reply with the code. In one ex- 
ample, the sender's system can be adapted to automat- 
ically retrieve the embedded code and respond to the 
challenge. Alternatively and/or additionally, the sender 
can be prompted to respond to the challenge {e,g,, man- 
ually). 

The use of a challenge based on an embedded code 
can Increase the bandwidth and/or computational load 
of sender(s) of spam, thus, serving as a deterrent to 
sending of spam. It is to be appreciated that the chal- 
lenge can be any of a variety of suitable types conn- 
putatlonal challenge, a human challenge and/or a ml- 
cropayment request). The challenge can be fixed and/ 
or variable. For example, with an increased associated 
probability, the challenge component can send a more 



difficult challenge or one that requires a greater micro- 
payment. 

[0015] The challenge component can modify the as- 
sociated probability that the e-mail message is spam 
5 based, at least in part, upon a response to the challenge. 
For example, upon receipt of an appropriate (e.g., cor- 
rect) response to the challenge, the challenge compo- 
nent can decrease the associated probability that the e- 
mail message is spam. In one example, the e-mail mes- 
10 sage is moved from a spam folder to a legitimate e-mail 
folder. In another implementation, the e-mail message 
is moved f mm a questionable spam folder to a legitimate 
e-mail folder. Upon receipt of an inappropriate (e.g., In- 
con'ect) response to the challenge and/or failure to re- 
ts celve a response to the challenge In a particular time 
period {e.g., 4 hours), the challenge component can In- 
crease the associated probability that the e-mail mes- 
sage Is spam. For example, the e-mail message can be 
moved from a questionable spam folder to a spam fold- 
er. 

[0016] Another aspect of the present invention pro- 
vides for the system to further Include a mail classifier. 
The mail classifier receives e-mall message(s), deter- 
mines the associated probability that the e-mail mes- 
sage is spam and stores the e-mail message(s) and as- 
sociated probabilities in the e-mail component. Accord- 
ingly, the mall classifier analyzes message content for 
a given recipient and distinguishes, based on that con- 
tent and for that recipient, between spam and legitimate 
(non-spam) messages and so classifies each Incoming 
e-mail message for that recipient. 
[0017] Additionally and/or altematively. e-mail mes- 
sage(s) can be marked with an indication of likelihood 
(probability) thatthe message is spam; message(s) as- 
signed intermediate probabilities of spam can be 
moved, based on that likelihood, to questionable spam 
folder(s). Based, at least in part, upon Information pro- 
vided by the mail classifier, the challenge component 
can send a challenge to a sender of an e-mail message 
having an associated probability greater than a first 
threshold. 

[0018] Yet another aspect of the present invention 
provides for the system to further include spam folder 
(s) and legitimate e-mall folder(s). The mall classifier de- 
termines the associated probability that an e-mail mes- 
sage Is spam and stores the e-mall message in the 
spam folder(s) or the legitimate e-mail folder(s) (e.g., 
based on a first threshold). Incoming e-mail message(s) 
are applied to an Input of the mall classifier, which. In 
turn, probabilistically classifies each of these messages 
as either legitimate or spam. Based on its classification, 
the message is routed to either of the spam folder(s) or 
the legitimate e-mail folder(s). Thereafter, the challenge 
component can send a challenge to a sender of an e- 
mail message stored in the spam folder(s) (e.g., having 
an associated probability greater than the first thresh- 
old). Based, at least In part, upon a response to the chal- 
lenge, the challenge component can move the e-mail 
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message from the spamfolder(s) to^e legitimate e-mail 
folder(s). For example, upon receipt of an appropriate 
(ag., correct) response to the challenge, the challenge 
component can move the e-mail message from the 
spam fblder(s) to the legitimate ennait folder(s). Further- 
more, upon receipt of an inappropriate (e.g., Incorrect) 
response to the challenge and/or faOure to receive a re- 
sponse to the challenge in a particular time period (e,g,, 
4 hours), the challenge component can delete the e-mail 
message from the spam folder(s) and/or change at- 
tribute(s) of the e-mali message stored in the spam foid- 
er(s). 

[0019] Another aspect of the present Invention pro- 
vides for a system to further include a legitimate e-mail 
sender(s) store and/or a spam sender(8) store. The le- 
gitimate e-mail sender(s) store stores infomfiation (e.g., 
e-malt address) associated with sender(s) of legitimate 
e-mall. E-mail message(s) from sender(s) Identified In 
the legitimate e-maii sender(s) store are generally not 
challenged by the challenge component. Information (e. 
g., e-mail address(es)) can be stored in the legitimate 
e-meUI 6ender(s) store based on user selection (e.g., "do 
not challenge" partlcularsender command), a user's ad- 
dress book, address(es) to which a user has sent at 
least a specified number of e-mail messages and/or by 
the challenge component The legitimate e-mail sender 
(s) store can further store a confidence level associated 
^N\ih a sender of legitimate e-mail. E-mall message(s) 
having associated probabilities less than or equal to the 
associated confidence level of the sender are not chal- 
lenged by the challenge component while those e-maii 
me8sage(s) having associated probabilities greater 
than the associated confidence level are challenged by 
the challenge component. The spam sender(s) store 
stores Information (e.g., e-mail address) associated with 
a sender of spam. I nf omiation can be stored in the spam 
sender(s) store by a user and/or by the challenge com- 
ponent. 

[0020] To the accomplishment of the foregoing and re- 
lated ends, certain illustrative aspects of the invention 
are described herein in connection with the following de- 
scription and the annexed drawings. These aspects are 
indicative, however, of but a few of the various ways in 
which the principles of the Invention may be employed 
and the present invention Is Intended to include ail such 
aspects and their equivalents. Other advantages and 
novel features of the invention may become apparent 
from the following detailed description of the invention 
when considered In conjunction with the drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
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of unsolbited e-mail in accordance with an aspect 
of the present Invention. 

Rg. 3 is a block diagram of a system for detection 
of unsolteited e-mail in accordance with an aspect 
of the present Invention. 

Rg. 4 is a bbck diagram of a system for detection 
of unsolicited e-mail in accordance with an aspect 
of the present Invention. 

Rg. 5 is a block diagram of a system for detection 
of unsolicited e-mail in accordance with an aspect 
of the present Invention. 

Rg. 6 is a block diagram of a system for detection 
of unsolicited e-mail in accordance with an aspect 
of the present invention. 

Rg. 7 Is a block diagram of a system for responding 
to a challenge in accordance with an aspect of the 
present invention. 

Rg. 8 Is a flow chart Illustrating a method for detect- 
ing unsolicited e-mail in accordance with an aspect 
of the present invention. 

Fig. 9 is a flow chart further illustrating the method 
of Rg. 8. 

Rg. 10 Is a flow chart Illustrating a method for re- 
sponding to a challenge In accordance with an as- 
pect of the present invention. 
Rg. 11 is a flow chart Illustrating a method for re- 
sponding to challenges in accordance with an as- 
pect of the present Invention. 
Rg. 12 is an exemplary user interface for respond- 
ing to a plurality of challenges In accordance with 
an aspect of the present invention. 
Rg. 13 illustrates an example operating environ- 
ment in which the present invention may function. 



[0021] 



Fig. 1 is a block diagram of a system for detection 
of unsolicited e-mall In accordance with an aspect 
of the present Invention, 

Rg. 2 is a block diagram of a system for detection 



35 DETAILED DESCRIPTION OF THE INVENTION 

[0022] The present Invention Is now described with 
reference to the drawings, wherein like reference nu- 
merals are used to refer to like elements throughout. In 

^ the following description, for purposes of explanation, 
numerous specific details are set forth in order to pro- 
vide a thorough understanding of the present Invention. 
It may be evident, however, that the present invention 
may be practiced without these specific details. In other 

"fs Instances, well-known structures and devices are 
shown In block diagram form In order to facilitate de- 
scribing the present invention. 

[0023] As used In this application, the term ''computer 
component is Intended to refer to a computer-related 

so entity, either hardware, a combination of hardware and 
sofhware, software, or software in execution. For exam- 
ple, a computer component may be, but is not limited to 
being, a process running on a processor, a processor, 
an object, an executable, a thread of execution, a pro- 

55 gram, and/or a computer. By way of Illustration, both an 
appOcatton running on a server and the server can be a 
conr^uter component. One or more computer compo- 
nents may reside within a process and/or thread of ex- 
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edition and a component may be localized on one conv 
puter and/or distributed between two or more comput- 
ers. 

[0024] Referring to Fig. 1 , a system 1 00 for detection 
of unsolblted messages (e.g., e- malO in accordance 
with an aspect of the present invention is illustrated. The 
system 100 includes an e-maii component 110 and a 
challenge component 120. The system 100 can recehfe 
e-mail message(s) and associated probabilities that the 
e-mail message(s) are spam. Based, at least In part, up- 
on the associated probability the system 1 00 can send 
a challenge to a sender of an e-maO message. 
[0025] The e-nriall component 110 receives and/or 
stores e-mail message(s} receives and/or computes as- 
sociated probabilities that the e-mail messages are 
spam. For example , the e-mail component 1 1 0 can store 
infomiatlon based, at least In part, upon infomnatlon re- 
ceived from a mall classifier (not shown). In one exam- 
ple, e-mail message(s) are stored In the e-mall compo- 
nent 110 based on associated probabilities that the 
email message(s) are spam. In another example, the e- 
mai) component 110 receh^es e-mail message(s) and 
computes associated probabilities that the e-mail mes- 
8age(8) are spam. 

[0026] The challenge component 120 can send a 
challenge to a sender of an e-mail message having an 
associated probability greater than a first threshold. For 
example, the challenge can be based, at least in part, 
upon a code embedded within the challenge (e.g., al- 
phanumeric code). In responding to the challenge, the 
sender of the e-mali can reply with the code. In one ex- 
ample, the sender's system (not shown) can be adapted 
to automatically retrieve the embedded code and re- 
spond to the challenge. Alternatively and/or additionally, 
the sender can be prompted to respond to the challenge 
(e.g., manually). The use of a challenge based on an 
embedded code can increase the bandwidth and/or 
computational load of sender(s) of spam, thus, serving 
as a detenrent to the sending of spam. 
[0027] Additionally and/or alternatively the challenge 
can be a computational challenge, a human challenge 
and/br a micropayment request. These challenges and 
responses to these challenges are discussed more fully 
below. Further, the challenge can be fixed and/or varia- 
ble. For example, with an Increased associated proba- 
bility, the challenge component 120 can send a more 
difTicult challenge or one that requires a greater micro- 
payment. 

[0028] For example, a micropayment request can op- 
tionally utilize one-time-use spam certificates. A system 
100 can put a "hold" on a received spam certificate. 
When a user of the system 1 00 reads the message and 
marks it as spam, the spam certificate Is Invalidated - 
sender unable to use spam certificate any further. If the 
message is not mariced as spam, the hold Is released 
thus allowing the sender to reuse the spam certificate 
(ag., sender of message not charged money). In an al- 
ternate implementation, the spam certificate Is always 



Invalidated at receipt, regardless of whether the mes- 
sage vms marked as spam or not 
p)029] With regard to a computational challenge, in 
one implementation a challenge sender (message re- 
5 celver) can detennine what the computational challenge 
should be. However, In another Implementation, the 
challenge is uniquely detenmined by some combination 
of the message content, the time of receipt or sending 
of the message, the message sender, and, Importantly, 
10 the message recipient For example, the computational 
challenge may be based on a one-way hash of these 
quantities. If the challenge sender (message recipient) 
is allowed to choose the challenge, than a spammer 
might be able to use the following technique. He sub- 
scribes to mailing lists or otherwise generates mall from 
users. Thus, responders send messages back to the 
spammer to which the spammer responds with a com- 
putational challenge of his choice. In particular, the 
spammer can choose challenges that legitimate users 
so have previously sent to the spammer In response to 
spami Some percentage of the recipients of the spam- 
mer^ challenges solve the challenges, thus allowing the 
spammer to then answer the challenges sent to the 
spammer. In one Implementation, the computational 
25 challenge is based on a one-way hash of the message 
(including time and recipient stamps), making it virtually 
Impossible for sender or receiver to detemnine the chal- 
lenge, but making it possible for each to verify that a 
challenge senses its intended purpose. 
30 [0030] The challenge component 120 can modify the 
associated probability that the e-mail message is spam 
based, at least in part, upon a response to the challenge. 
For example, upon receipt of an appropriate (ag., cor- 
rect) response to the challenge, the challenge compe- 
ls nent 120 can decrease the associated probability that 
the e-mail message Is spam. In one example, the e-mail 
message is moved from a spam folder to a legitimate e- 
mall folder. In another example, the e-mail message Is 
' moved from a questionable spam folder to a legitimate 
40 e-mail folder. Moreover, upon receipt of an inappropriate 
(e.g., incomect) response to the challenge and/or failure 
to receive a response to the challenge in a particular 
time period (e.g., 4 hours), the challenge component 
120 can Increase the associated probability that the e- 
45 mall message Is spam. 

[0031] In one Implementation, a user Is given a choice 
of challenges. For example, the choice of challenges 
can be based upon a filter. 

[0032] Further, Instead of storing the e-mail message, 
so the system 100 can "bounce" the message, thus, ne- 
cessitating the sender to resend the message along with 
the response to the challenge. 

[0033] While Rg. 1 is a block diagram illustrating com- 
ponents for the system 100, it is to be appreciated that 
55 the challenge component 120 can be implemented as 
one or more computer components, as that term Is de- 
fined herein. Thus, it Is to be appreciated that computer 
executable components operable to Implement the sys- 
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tern 100 and/or the challenge component 120 can be 
stored on connputer readable media including, but not 
limited to» an ASIC (application specifc integrated cir- 
cuit), CD (compact disc). DVD (digital video disk). ROM 
(read only memory), floppy disk, hard disk. EEPROM s 
(electrically erasable programmable read only memory) 
and memory stick In accordance with the present Inven- 
tion. 

[0034] Turning to Fig. 2, a system 200 for detection of 
unsolicited e>mail in accordance with an aspect of the io 
present Invention Is illustrated. The system 200 Includes 
an e-mall component 110, a challenge component 120 
and a mall classifier 130. An exemplary mail classifier 
1 30 is sett orth In greater detail in copending U.S. Patent 
Application entitled A TECHNIQUE WHICH UTILIZES is 
A PROBABILISTIC CLASSIFIER TO DETECT "JUNK" 
E-MAIL, having serial no. 09/102.837 the entirety of 
which Is hereby Incorporated by reference. In one ex- 
ample, the mall classifier 130 receives e-mail message 
(s), determines the associated probability that the e-mai) 20 
message is spam and stores the e-mail message(s) and 
associated probabilities in the e-mail component 110. 
The mail classifier 1 30 analyzes message content for a 
given recipient and distinguishes, based on that content 
and for that recipient, between spam and legitimate 25 
(non-spam) messages and so classifies each incoming 
e-mail message for that recipient. 
[0035] In another example, each incoming e-mail 
message (in a message stream) is first analyzed to as- 
sess which one(s) of a set of predefined features, par- 30 
ticularly characteristic of spam, the message contains. 
These features (e.g., the "feature sef) Include both sim- 
ple-word-based features and handcrafted features, the 
latter including, for example, special multi-word phrases 
and various features in e-mail messages such as non- 35 
word distinctions. Generally speaking, these non-word 
distinctions collectively relate to, for example, format- 
ting, authoring, delivery and/or communication at- 
tributes that, when present In a message, tend to be in- 
dicative of spam - they are domain-specific character- 40 
istlcs of spam. Illustratively, fonnatting attributes may in- 
clude whether a predefined word in the text of a mes- 
sage Is capitalized, or whetherthattext contains aserles 
of predefined punctuation marlcs. Delivery attributes 
may illustratively Include whether a message contains 4s 
an address of a single recipient or addresses of a plu- 
rality of recipients, or a time at which that message was 
transmitted (mail sent In the middle of the night Is more 
likely to be spam). Authoring attributes may include, for 
example, whether a message comes from a particular so 
e-mail address. Communication attributes can illustra- 
tively include whether a message has an attachment (a 
spam message rarely has an attachment), or whether 
the message was sent by a sender having a particular 
domain type (most spam appears to originate from ". ss 
com" or ".net" domain types). Handcrafted features can 
also include tokens or phrases known to be, for exam- 
ple, abusive, pornographic or Insulting; or certain punc- 
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tuation martcs or groupings, such as repeated exclama- 
tion points or numbers, that are each likely to appear in 
spam. The specific handcrafted features are typically 
detemiined through human judgment alone or com- 
bined with an empirical analysis of distinguishing at- 
tributes of spam messages. 

[0036] A feature vector, with one element for each fea- 
ture in the set, is produced for each incoming e-mail 
message. That element simply stores a binary value 
specifying whether the con-espondlng feature Is present 
or not in that message. The vector can be stored in a 
sparse fonmat (e.g., a list of the poslthfe features only). 
The contents of the vector are applied as input to a prob- 
abilistic classifier, preferably a modified support vector 
machine (SVM) classifier, which, based on the features 
that are present or absent from the message, generates 
a probabilistic measure as to whether that message Is 
spam or not. This measure is then compared against a 
preset threshold value. If, for any message, Its associ- 
ated probabilistic measure equals or exceeds the 
threshold, then this message is classified as spam (e. 
g., stored in a spam folder). Altemath^ely. if the probabi- 
listic measure for this message Is less than the thresh- 
old, then the message is classified as legitimate (e.g., 
stored In a legitimate mall folder). The classification of 
each message can also be stored as a separate field in 
the vector for that message. The contents of the legiti- 
mate mail folder can then be displayed by a client e-mail 
program (not shown) for user selection and review. The 
contents of the spam folder will only be displayed by the 
client e-mail program upon a specific user request. 
[0037] Furthermore, the mall classifier 130 can be 
trained using a set of M e-mail messages (e.g., a "train- 
ing set", where M Is an integer) that have each been 
manually classified as either legitimate or spam. In par- 
ticular, each of these messages is analyzed to deter- 
mine from a relatively large universe of n possible fea- 
tures (refen-ed to herein as a feature space"), including 
both simple-word-based and handcrafted features, just 
those particular N features (where n and N are both in- 
tegers, n > N) that are to comprise the feature set for 
use during subsequent classification. Specifically, a ma- 
trix (typically sparse) containing the results for all n fea- 
tures for the training set is reduced In size through ap- 
plication of ZIpfs Law and mutual Infonnatlon, both as 
discussed in detail infmto the extent necessary, to yield 
a reduced N-by-m feature matrix. The resulting N fea- 
tures form the feature set that will be used during sub- 
sequent classification. This matrix and the known clas- 
slfteations for each message In the training set are then 
collectively applied to the mail classifier 130 for training 
thereof. 

[0038] Furthermore, should a recipient manually 
move a message from one folder to another and hence 
reclassify It, such as from being legitimate into spam, 
the contents of either or both folders can be fed back as 
a new training setto re-train and hence update the clas- 
sifier. Such re-trainlngcanoccuras a result of each mes- 
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sage reclassiTicatfon; automatically after a certain 
number of messages have been reclassified; after a giv- 
en usage Interval (e,g., several weeks or months) has 
elapsed; or upon user request. In this manner, the be- 
havior of the classifier can advantageously tracfc chang- 
ing subjective perceptions and preferences of its partic- 
ular user. Alternatively, e-mail messages may be clas- 
sified into multiple categories (subclasses) of spam (e, 
g., commercial spam, pornographic spam and so forth). 
In addition, messages may be classified into categories 
corresponding to different degrees of spam (e.g., "cer- 
tain spam", "questionable spam", and "non-spam"). 
[0039] Based, at least in part, upon Infonnation pro- 
vided by the mail classifier 130, the challenge compo- 
nent 1 20 can send a challenge to a sender of an e-mail 
message having an associated probability greater than 
a first threshold. For example, the challenge can be 
based, at least In part, upon a code embedded within 
the challenge (e.g., alphanumeric code), in responding 
to the challenge, the sender of the e-mail can reply with 
the code. The sender's system (not shown) can be 
adapted to automatically retrieve the embedded code 
and respond to the challenge. Altemativety and/or addi- 
tionally, the sender can be prompted to respond to the 
challenge (e.g., manually). The use of a challenge 
based on an embedded code can increase the band- 
width and/or computational load of sender(s) of spam, 
thus, serving as a deterrent to the sending of spam. It is 
to be appreciated that any type of challenge (e.g., a 
computational challenge, a human challenge, a micro- 
payment request) suitable for carrying out the present 
Invention can be employed and all such types of chal- 
lenges are intended to fall within the scope of the hereto 
appended claims. 

[0040] The challenge component 1 20 can modify the 
associated probability that an e-mail message is spam 
based, at least in part, upon a response to the challenge. 
For example, upon receipt of an appropriate (e.g., cor- 
rect) response to the challenge, the challenge compo- 
nent 120 can decrease the associated probability that 
the e-mail message is spam. 

[0041] Upon receipt of an inappropriate (e.g., incor- 
rect) response to the challenge and/or failure to receive 
a response to the challenge In a particular time period 
fag., 4 hours), the challenge component 120 can in- 
crease the associated probability that the e-mail mes- 
sage Is spam. It is to be appreciated that the mail clas- 
sifier 1 30 can be a computer component as that term is 
defined herein. 

[0042] Referring next to Fig. 3, a system 300 for de- 
tectlori of unsolicited e-mail in accordance with an as- 
pect of the present invention is illustrated. The system 
300 includes a mail classifier 310, a challenge compo- 
nent 320, spam foldGr(s) 330 and legitimate e^ail fold- 
er(s) 340, In one implementation, the spamfolder{s) 330 
and/or the legitimate e-mail folder(s) 340 can be virtual, 
that is. storing infomnation associated with e-mail mes- 
sage{s) (e.g., link to e-mail mes8age(s)) with the e-mail 



message(s) stored elsewhere. Or. in another implemen- 
tation, rather than folders, an attribute of the message, 
can simply be set. 

[0043] As discussed supra, the mall classifier 31 0 de- 
5 termines the associated probability that an e-mail mes- 
sage is spam and stores the e-mail message in the 
spam f older(s) 330 or the legitimate e-mail foider(8) 340 
(e.g., based on a first threshold). Incoming e-mafi mes- 
sage(s) are applied to an input of the mail classifier310. 
10 which, in tum, probabilistically classifies each of these 
messages as either legitimate or spam. Based on Its 
classification, the e-mail message is routed to either of 
the spam foider(s) 330 or the legitimate e-mail folder(8) 
340. Thus, e-mail message(s) having associated prob- 
f 5 abilities less than or equal to a first threshold are stored 
in a legitimate e-mail folder(s) 340 while e-mall message 
(s) having associated probabilities greater than the first 
threshold are stored in a spam folder(s) 330. The first 
threshold can be fixed, based on user preference(s) 

so and/or adaptive (e.g., based, at least in part, upon avail- 
able computational resources). 
[0044] Thereafter, the challenge component 320 can 
send a challenge to a sender of an e-maS message 
stored in the spam folder(s) (e.g., having an associated 
probability greaterthan the first threshold). For example, 
the challenge can be based, at least In part, upon a code 
embedded within the challenge, a computational chal- 
lenge, a human challenge and/or a micropayment re- 
quest. Based, at least In part, upon a response to the 

30 challenge, the challenge component 320 can move the 
e-mail message from the spam folder(s) 330 to the le- 
gitimate e-mail folder(s) 340. For example, upon receipt 
of an appropriate (e.g., correct) response to the chal- 
lenge, the challenge component 320 can move the e- 

^5 mail message from the spam folder(s) 330 to the legiti- 
mate e-mail folder(s) 340. 

[0045] Upon receipt of an inappropriate (e.g., incor- 
rect) response to the challenge and/or failure to receive 
a response to the challenge in a particular time period 

40 (e.g., 4 hours), the challenge component 320 can delete 
the e-mail message from the spam foIder(s) 330 and/or 
change attrlbute(s) of the e-mail message stored In the 
spam folder(s) 330. For exarrple, display attrlbute(s) (e. 
g., color) of the e-mail message can be chan ged to bring 

^ to a user's attention the increased likelihood of the e- 
mail message being spam. 

[0046] Next, tuming to Rg. 4, a system 400 for detec- 
tion of unsolicited e-mail in accordance with an aspect 
of the present invention is Illustrated. The system 400 
so includes a mail classifier 310, a challenge component 
320, spam fold6r(8) 330 and legitimate e-mail folder(8) 
340. The system 400 further includes a legitimate e-mail 
sander(s) store 350 and/or a spam sender(s) store 360. 
The legitimate e-mail sender(s) store 350 stores Infor- 
ms rnation (e.g., e-mail address) associated with sender(8) 
of legitimate e-mail. E-mail message(s) from sender(8) 
identlfidd in the legitimate e-mail 8ender(s) store 350-are 
generally not challenged by the challenge component 
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320. Accordingly, in on© example, e-mail messagB(s) 
stored in the spam tolder(s) 330 by the mail classifier 
310 are moved to the legitimate mail folder(s) 340 if the 
sender of the e-mail message is stored In the legitimate 
e-mail 8ender(8) store 350. 

[0047] Information (e.g., e-mail address(es)) can be 
stored in the legitimate e-mail sender(s) store 350 based 
on user selection (e,g^ "do not challenge" particular 
sender command), a user's address book. addrBss(es) 
to which a user has sent at least a specified number of 
e-mail messages and/or by the challenge component 
320. For example, once a sender of an e-mail message 
has responded correctly to a challenge, the challenge 
component 320 can store information associated with 
the sender (e^g., e-mail address) in the legitimate e-mail 
sender(s) store 350. 

[0048] The legitimate e-mail sender(s) store 350 can 
further retain a confidence level associated with a send- 
er of legitimate e-mall. E-mail message(s) having asso- 
ciated probabilities less than or equal to the associated 
confidence level of the sender are not challenged by the 
challenge component 320 while those e-mail message 
(s) having associated probabilities greater than the as- 
sociated confidence level are challenged by the chal- 
lenge component 320. For example, the confidence lev- 
el can be based, at least in part, upon the highest asso- 
ciated probability challenge to which the sender has re- 
sponded. 

[0049] In one implementation, a sender can be re> 
moved from the legitimate e-mall sender(s) store 350 
based, at least in part, upon a user's action (e,g., e-mail 
message from the sender deleted as spam). In accord- 
ance with another aspect. sender(s) are added to the 
legitimate e-mail sender(s) store 350 after a user has 
sent one e-mall message to the sender - this can be use- 
ful for mailing llst(s). 

[0050] The spam sender(s) store 360 stores infomria- 
tion (e.g., e-mali address) associated with a sender of 
spam. Information can be stored in the spam sender(s) 
store 360 by a user and/or by the challenge component 
320. For example, once a user has deleted a particular 
e-mail message as spam, infonnation associated with 
the sender of the e-mall message can be stored in the 
spam sender(s) store 360. In another example, infomna- 
tlon associated with a sender ot an e-mail message that 
incorrectly responded to a challenge and/or failed to re- 
spond to the challenge can be stored in the spam sender 
(s) store 360. 

[0051] Fig. 5 illustrates a system 500 for detection of 
unsolicited e-mail in accordance with an aspect of the 
present invention Is illustrated. The system 500 includes 
a mail classifier 51 0, a challenge component 520, spam 
folder(8) 530, questionable spam folder(s) 540 and le- 
gitimate e-maO folder(8) 550. As discussed above, the 
mail classifier 51 0 determines the associated probability 
that an e-mail message is spam and stores the e-mail 
message In the spam foider(s) 530, the questionable 
spam folder(s) 540 or the legitimate e-mail folder(s) 550. 



Incoming e-mall message(6) are applied to an input of 
the mall classifier 510, which. In turn, probabilistically 
classifies each of these messages as either legitimate, 
questionable spam or spam. Based on its classification, 
s each message is routed to one of the spam folder(s) 
530. the questionable spam folder(s) 540 or the legiti- 
mate e-mail folder(s) 550. 

[0052] E-nnal] message(s) having associated proba- 
bilities less than or equal to a first threshold are In legit- 

10 innate e-mall foIder(s) 550. E-mail message(s) having 
associated probabilities greater than the first threshold, 
but less than or equal to a second threshold are stored 
in questionable spamfolder(s) 540. Further, e-mail mes- 
sa9e(s) having associated probabilities greater than the 

IS second threshold are stored In spam foider(s} 530. It is 
to be appreciated that the first threshold and/or the sec- 
ond threshold can be fixed, based on user preference 
(s) and/or adaptive (e.g., based, at least In part, upon 
available computational resources). Thereafter, the 

^ challenge component 520 can send a challenge to a 
•sender of an e-mail message stored in the questionable 
spam folder(s) 540. For example, the challenge can be 
based, at least In part, upon a code embedded within 
the challenge, a computational chaDenge, a human 

25 challenge and/or a micropayment request. 

[0053] Based, at least in part, upon a response to the 
challenge or lack thereof, the challenge component 520 
can move the e-mail message from the questionable 
spam folder(s) 540 to the legitimate e-mail f older(s) 550 

30 or the spam f older(s) 530. For example, upon receipt of 
an appropriate (e,g., correct) response to the challenge, 
the challenge component 520 can moved the e-mail 
message from the questionable spam foIder(s) 540 to 
the legitimate e-mall folder{s) 550. 

35 [0054] Further, upon receipt of an Inappropriate (e.g., 
incorrect) responseto the challenge and/or failure to re- 
cehre a response to the challenge in a particular time 
period (e.g., 4 hours), the challenge component 520 can 
move the e-mail message from the questionable spam 

40 folder(s) 540 to the spam folder(s) 530. 

[0055] Referring next to Fig. 6, a system 600 for de- 
tection of unsolicited e-mall in accordance with an as- 
pect of the present invention is illustrated. The system 
600 Includes a mall classifier 510, a challenge compo- 

45 nent 520, spam folder(s) 530, questionable spam folder 
(s) 540 and legitimate e-mall folder(s) 550. The system 
600 further includes a legitimate e-mail 5ender(s) store 
560 and/or a spam sender(s) store 570. 
[0056] The legitimate e-mail sender(s) store 560 

so stores inf omiation (e.g., e-mail address) associated with 
sender(s) of legitimate e-mail. E-mail message(s) from 
entities Identified in the legitimate e-mail sender(s) store 
560 are generally not challenged by the challenge com- 
ponent 520. Accordingly. In one example, e-mall mes- 

55 sage(s) stored in the spam folder(s) 530 or the ques- 
tionable spam folder(s) 540 by the mail classifier 510 
are moved to the legitimate mail folder(s) 550 if the 
sender of the e-mail message is stored in the legitimate 
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e-mail sender(s) store 560. 

[0057] Information (e.g„ e-mail address(es)) can be 
stored in the legitimate e-mail sender(s) store 660 based 
on user selection (e.g., °do not challenge" parttcular 
sender command), a user's address book, address(es) 
to which a user has sent at least a specified number of 
e-mail messages and/or by the challenge component 
520. For example, once a sender of an e-mail message 
has responded correctly to a challenge, the challenge 
component 520 can store Information associated with 
the sender (e.g., e-mail address) In the legttimate e-mail 
sender(s) store 560. 

[0058] The legitimate e-mail sender(s) store 560 can 
further store a confidence level associated with a sender 
of legitimate e-mail. For example, e-mail mes8age(s) 
having associated probabilities less than or equal to the 
associated confidence level of the sender are not chal- 
lenged by the challenge component 520 while those e- 
mailmessage(s) having associated probabilities greater 
than the associated confidence level are challenged by 
the challenge component 520. For example, the confi- 
dence level can be based, at least in part, upon the high- 
est associated probability challenge to which the sender 
has responded. 

[0059] In one example, a sender can be removed from 
the legitimate e-mail sender(s) store 560 based, at least 
in part, upon a user's action (e.g., e-mail message from 
the sender deleted as spam). In another example, send- 
er(s) are added to the legitimate e-mail 8ender(s) store 
560 after a user has sent one e-mall message to the 
sender. 

[0060] The spam sender(s) store 570 stores informa- 
tion (e.g., e-maii address) associated with a sender of 
spam. Information can be stored in the spam sender(s) 
store 570 by a user and/or by the challenge component 
520. For example, once-a user has deleted a particular 
e-mail message as spam, information associated with 
the sender of the e-maii message can be stored in the 
spam sender(s) store 570. In another example, informa- 
tion associated with a sender of an e-mail message that 
incorrectly responded to a challenge and/or failed to re- 
spond to the challenge can be stored in the spam sender 
(s) store 570. 

[0061] In one example, a unique-ID can be ex- 
changed during the challenge process [e.g., to reduce 
the lilceiihood that a spammer can send spam using an 
address of a good sender). Further, sender(s) can use 
message signing. Unsigned mes8age(s) fmm sender(s) 
stored in the legitimate e-mail sender(s) store 560 who 
usually sign their message(s) are subjected to the usual 
processing and potential challenging. 
[0062] In another example, higher volume 6ender(8) 
of e-mail customize their "from" address {e.g., a unique 
"from" address for a recipient). For example, the "from" 
address can be based on a global secret Icey Icnown to 
the sender and hashed with the recipienfs e-mail ad- 
dress. Alternatively, a random number can be generated 
and stored for a recipient 



[0063] In yet a tiiird example, a "per recipient ID" 
(PRID) is included in e-maii message(s). The PRiD ap- 
pends sender unique information in a special message 
header field. It is to be appreciated that the PRID does 
s not have to be set on a per-sender basis. Thus, as mail 
is forwarded around an organization, inclusion on the 
legitimate e-mail sender(s) store 560 can be inherited. 
The PRID can be a public key for use with a pubHc key 
signature system (e.g., OpenPGP or S/MIME). 
10 po64] Additionally, sender(s) of e-mail message(s) 
can include requests for chalienge{s) (e.g., to facilitate 
scheduling of receipt of chalienge(s)). For example, an 
e-mai! messagB(s) can include a 
"CHALLENGE^ME^NOW: TRUE" header. This can 
IS cause a system 600 to automatically send a challenge 
and when a correct response is received to Include the 
sender in the legitimate e-mall sender(s) store 560. 
[0065] The challenge component 520 can be adapted 
to detect e-mail message{s) received from mailing list 
20 (s) (e.g., moderated mailing llst(s) and/or unmoderated 
mailing list(s)). For example, a header line such as 
"Precedence: list" or "Precedence: bulk" can be includ- 
ed in e-mail message(s) received from a mailing list. In 
another example, tl\e challenge component 520 detects 
ss that an e-mail message is spam based, at least in part 
upon, detection of a "sender" line being different from a 
"from" line. E-mail message header(s) typically contains 
two different from lines: one "from" line at the top (e.g., 
inserted by the from command used by SIWTP), and a 
30 "from:" header fieW (e.g., the one that is usually dis- 
played to the user.) For mailing lists, these may differ. 
[0066] in one example, the challenge component 520 
can detect e-mail message(s) from mailing iist(s) and 
give a user the opportunity to include the mailing iist(s) 
35 in the legitimate e-mait 8ender(s) store 560. The chal- 
lenge component 520 can additionally include a level of 
confidence associated with the mailing list{s). 
[0067] An issue to be addressed with regard to mail- 
ing iist(s) is to reduce the likelihood that spam-like mes- 
40 sage(s) received from a mailing list will create a mail 
stonn of challenges to the mailing list. This issue differs 
for the different list types. There are 8 situations, al- 
though many of tiiem share the same solution. In par- 
ticular, a mailing list can be can be moderated or un- 
45 moderated and additionally can have different level(s) 
of ability to respond to challenges. This creates 6 types. 
[0068] Many moderated mailing iist(s) include an "ap- 
proved-by" header. For example, for moderated mailing 
list(s), it can be assumed that either all messages are 
so good, or all are spam. For unnnoderated lists, it can be 
assumed tiiat some spam will be sent to the mailing list. 
Thus, for an unmoderated mailing list, the challenge 
component 520 can allow a user to set a threshold de- 
termining whether spam-like messages should be 
55 shown, or simply put in the spam folder(s) 530. 

[0069] For example, an e-mail message from a mail- 
ing list has been detected, a user is given the user the 
opportunity to determine the level of confidence assocl- 
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ated with the mailing list A concern is sending too many 
challenges to mailing lists, especially those that do not 
have the ability to automatically respond to challenges. 
For moderated mailing list(s), for example, a user can 
be pronnpted to include the mailing list In the legitimate 
e-maii sender(s) store 560. In another example, the 
mailing list can respond to a challenge from the chal- 
lenge component 520 and be Included In the legitimate 
e-mail sender(s) store 560. In yet a third example, upon 
subscription to the malDng list, the mafling list prompts 
the user to include the mailing list in the user's legitimate 
e-maii sender(s) store 560. 

[0070] For unmoderated mailing l]st(s), for example, 
a user can be prompted to set a threshold forthe mailing 
list. E-mail message(s) having a probability of being 
spam above the threshold is moved to the spam folder 
(s) 530 and/or deleted. In another example, the mailing 
list can respond to a challenge from the challenge com- 
ponent 520 and be included in the legitimate e-mail 
sender(s) store 560. In yet a third example, upon sub- 
scription to the mailing list, the mailing list prompts the 
user to include the mailing list in the user's legitimate 
mail sender{s) store 560. 

[0071] The challenge component 520 can take into 
account mailing iist(s) that do not have the ability to au- 
tomatically respond to challenges. In particular, for mod- 
erated mailing lists, the challenge component 520 can 
Include the mailing list in the legitimate e-mail sender(s) 
store 560. For unmoderated mailing fists, the challenge 
component 520 can facilitate setting a threshold forthe 
mailing list: messages above the threshold are chal- 
lenged while messages below the threshold are let 
through 

[0072] Inclusion in the legitimate e-maii sender(s) 
store 560 can occur at an appropriate time. For mailing 
lists, It is likely that the user will not send mail TO the 
list. However, it is undesirable to Include the mailing list 
In the legitimate e-maii sender(s) store 560 based on 
small amounts of mail received FROM the list. Other- 
wise a spammer could masquerade as a mailing list, 
send a small amount of messages (none of which are 
deleted as spam) and then send spam freely. In one inv 
plementation, the first time that mail from a mailing list 
arrives, and Is not detected as spam, the user is prompt- 
ed to add the mailing list to the legitimate e-mail sender 
(s) store 560, with an associated threshold. Since most 
mailing lists include a welcome message, If some wel- 
come messages are included in training data, the wel- 
come message is uniilcely to be marked as spam. 
[0073] If, however, the first messages that arrive are 
substemtially all spam-fike, then the messages should 
be Included In the spam fokler(s) 530. In particular, it is 
not desirable to let someone masquerade as a mailing 
list, and send spam. Thus, until the mail listing Is includ- 
ed in the legitimate e-maii sender(s) store 560, the chal- 
lenge component520 can send challenge(s} to the mail- 
ing list as described supra. If the rnessages are spam- 
like but legitimate, the user may or may not receive 



them, depending on how the challenges are handled. If 
the challenges are not answered, they will not get 
through. Thus, it should be difficult to get spam through. 
Eventually, the mailing list will send a non-spam like 
5 message, and the user will be prompted to establish a 
policy for the mailing list. 

[0074] It is to be appreciated that mailing list(s) may 
have a From address such that mail sent to that From 
address is sent to the entire list If a list appears to be 
TO of that type, it is undesirable to send challenges to it as 
they might be received by substantially all readers of the 
maiUng list. Apparent spam from such a mailing list be- 
fore the mailing list has been included in the legitimate 
e-mail sender(s) store 560 can simply be ignored. 
15 The definition of inclusion In the legitimate e-mail sender 
(s) store 560 can be modified for mailing list(s). Given 
that the From line on a mailing list, even a moderated 
one is different for each sender, inclusion in the legiti- 
mate e-maii sender(s) store 560 can be based on other 
•20 part(s) of the header. Often, the To line on a mailing list 
is the mailing list name (so that reply-all goes to the 
whole list.). Thus, for mailing lists, inclusion in the legit- 
imate e-mail sender(s) store 560 can be based, at least 
in part, on the to-line. Thfe can be in addition to from- 
line listing {e.g., if the sender of the mailing list is in the 
legitimate e-mail sender(s) store 560 that also should 
be sufficient). It Is to be appreciated that other header 
lines, for mailing lists, such as sent-by, that can addi- 
tionally and/or alternatively be included in the legitimate 
30 e-mail sender(s) store 560. 

[0075] In order to detennine validity of e-mail address 
(es), spammer(s) rely on "bouncing". IVIany convention- 
al e-maii servers bounce e-mail back to if s sender if it 
is addressed to an invalid address. Thus, for e-maii serv- 
35 ers those e-mail servers, the indicia of validity of an e- 
mail address increases if an e-mail message is'not 
bounced. Accordingly, spammers can send more spam 
messages to the unbounced addresses. 
[0076] For those e-nriail senders which bounce e-mail, 
40 challenges of the present Invention do not provide any 
additional information to the spammer {e.g., lack of 
bounce Is an Indication of validity of the address). Fur- 
ther, the e-mail server can itself send challenges via a 
system for detection of unsoltelted e-maii for "semi-live" 
45 address(es) (e.g., valid but unmonltored address). 
[0077] With regard to e-mail servers which do not 
bounce e-mail to invalid addresses, again the e-mail 
server can itself send challenges via a system for de- 
tection of unsolicited e-mail, for example, to have be- 
50 havior of invalid addres8(e8) be similar to the behavior 
of valid addres8(es). Further, in one implementation, a 
randomization factor is added to the probability that an 
e-mail is spam by the server system (e.g., to prevent 
attempts to circumvent adaptive spam filters). 
55 [0078] Next, turning to Fig. 7, a system 700 for re- 
sponding to a challenge in accordance with an aspect 
of the present invention is illustrated. The system 700 
includes a chaOenge receh^er component 710, a chal- 
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lenge processor component 720 and a challenge re- 
sponse component 730. 

[0079] The challenge recehfer component 710 re- 
ceives a challenge (e.g., to a previously sent e-mail). 
For example the challenge can be based, at least In part, 
upon a code embedded within the challenge, a compu- 
tational challenge, a human challenge and/or a micro- 
payment request. 

[0080] In one example, the challenge receiver com- 
ponent 71 0 detemiines which of a plurality of challenge 
modalities to fonward to the challenge processor com- 
ponent 720 (e,g,, based on available computational re- 
sources and/or user preference). In another example, 
the challenge receiver component 710 provides infor- 
mation to a user to facilitate selection of one of a plurality 
of challenge modalities, thus, allowing a user to select 
which modality, If any, the user wishes to use to respond 
to the chEUIenge. For example, the challenge receiver 
component 710 can provide information which may be 
helpful to the user in selecting an appropriate response 
modality, such as, an amount of computational resourc- 
es required to respond to a computational challenge/an 
amount of a mlcropayment and/or a balance of a micro- 
payment account Once a challenge modality has been 
selected, the challenge is fonvarded to the challenge 
processor 720. 

[0081 ] It is to be appreciated that In certain instances 
the user may desire to not respond to the challenge, In 
which case, no infonnation is sent to the challenge proc- 
essor component 720 and/or the challenge response 
component 730. 

[0082] The challenge processor component 720 proc- 
esses the challenge and provides an output associated 
with the processed challenge. For example, when the 
challenge includes an embedded code, the challenge 
processor component 720 can provide an output to the 
challenge response component 730 which includes the 
embedded code. In the Instance in which the challenge 
includes a computational challenge, the challenge proc- 
essor component 720 can facilitate generation of a so- 
lution to the computational challenge. 
[0083] When the challenge includes a human chal- 
lenge, the challenge processor component 720 can pro- 
vide infomnation to a user to facilitate solving the human 
challenge. In one example, the human challenge can 
include a problem that Is relatively easy for a human to 
solve, and relatively hard for a computer. In one exam- 
ple, the human challenge includes an image of a word 
(ey., GIF or JPEG). The word is partially obscured by 
noise. The noise makes It hard to automatically develop 
a computer program to read the word (or at least, to use 
off-the-shelf components), without making it too hard for 
a human to do it. In this example, the challenge proces- 
sor component 720 can provide the image of the word 
to the user. The user then provides the wond back to the 
challenge processor component 720. The challenge 
processor component 720 provides an output Including 
the word to the challenge response component 730. 



[0084] When the challenge includes a mlcropayment 
request, the challenge processor component 720 can 
facilitate providing an output to the challenge response 
component 730. In one example, a response to a mlcro- 

s payment challenge is based on a one-time use "spam 
certificate'' which can be issued by an issuing authority. 
The challenge processor component 720 can either au- 
tomatically or based on user Input provides a spam cer- 
tificate number to the challenge response component 

io 730. By providing the spam certificate number, the spam 
certificate is thereafter invalidated (e.g., one-time use). 
[0085] in another example, a response to a mlcropay- 
ment challenge Is based on a mlcropayment account. 
Each such response causes an amount to be removed 

IS from a micropayment account maintained, fpr example, 
by an issuing authority. The challenge processor com- 
ponent 720 can provide information assoclated^vlth the 
micropayment account to the challenge response com- 
ponent 730. 

20 [0086] The challenge response component 730 pro- 
vides a response to the challenge based, at least in part, 
upon the output associated with the processed chal- 
lenge. For example, the response to the challenge can 
include an embedded code, solution to a computational 

25 challenge, solution to a human challenge and/or micro- 
payment. 

[0087] In one Implementation, for example, to reduce 
a likelihood of a denial-of-servlce attack, computational 
challenges are ordered by the quantity of challenges al- 

30 ready processed for a given message. Message(s) with 
fewer processed chalienge(s) are processed before 
message(s) having a greater quantity of processed 
challenges are processed [e.g., as computational re- 
sources are available). Thus, in the instance in which a 

35 message is sent to a mailing list, a recipient could send 
computational challenges In an effort to maliciously 
cause a denial-of-service attack. However, once one or 
more computational challenges are processed for that 
message, computational challenges of other messages 

^ having less processed challenges are given priority, 
thus reducing the ilkeliiiood of a denial-of-servlce. 
[0088] In view of the exemplary systems shown and 
descrlt)ed above, methodologies that may be imple- 
mented In accordance with the present Invention will be 

45 better appreciated with reference to the flow chart of 
Figs. B, 9, 10 and 11. While, for purposes of simplicity 
of explanation, the methodologies are shown and de- 
scribed as a series of blocks, it is to be understood and 
appreciated that the present invention Is not limited by 

so the order of the blocks, as some blocks may, In accord- 
ance with the present Invention, occur In different orders 
and/or concun-ently with other blocks from that shown 
and described herein. Moreover, not all illustrated 
blocks may be required to Implement the methodologies 

ss In accordance with the present Inventton. 

[0089] The Invention may be described In the general 
context of computer-executable Instmctions, such as 
program modules, executed by one or more compo- 
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nents. Generally, program modules Include routines, 
programs, objects, data structures, etc, that perfomi 
particular tasks or implement particular abstract data 
types. Typically the functionality of the program modules 
may be combined or distributed as desired in various 
embodiments. 

- [0090] Tuming to Rgs. 8 and 9, a method 800 for de- 
tecting an unsolicited e-mall message in accordance 
with an aspect of the present invention is illustrated. At 
804, an e-mail message Is received. At 808. a probability 
that the e-mail message is spam Is determined (e.g.. by 
a mall classifier). 

[0091] At 812, a determination Is made as to whether 
the sender of the e-mail message is In a legitimate e- 
mall sender(s) store. If the determination at 81 2 is YES, 
processing continues atSIG. If the detemiination at812 
Is NO, at 820, a detenminatlcn is made as to whether 
the sender of the e-mail message Is' in a spam sender 
(s) store. If the determination at 620 Is YES, processing 
continues at 824. If the determination at 820 is NO, at 
628, a determination is made as to whether the proba- 
bility that the e-mail message is spam is greater than a 
first threshold. If the determination at 828 Is NO, 
processing continues at 81 6. If the detemnination at 828 
Is YES, at 832, one or more challenge(8) are sent to the 
sender of the e-mail message. 
[0092] At 836, a determination is made as to whether 
a response to the challenge(s) has been received. If the 
determination at 836 is NO, processing continues at 
836. If the determination at 836 is YES, at 840, a deter- 
mination is made as to whether the response received 
to the challenge is correct. If the determination at 840 Is 
YES, processing continues at 816. if the determination 
at 840 is NO, processing continues at 824. 
[0093] At 81 6, the e-mail message is identified as "not 
spam" (e,g,, placed In legitimate e-mail folder(s) and/or 
associated probability decreased). Next, at 844, the 
sender of the e-mail message is added to the legitimate 
e-mail 8ender(8) store and no further processing 
occurs, . 

[0094] At 824, the e-mail message is identified as 
spam (e.g., placed in spam folder(s), deleted and/or as- 
sociated probability increased). Next, at 848, the sender 
of the e-mail message added to the spam 8ender(s) 
store and no further processing occurs. 
[0095] Refening next to Fig. 10, a method 1000 for 
responding to a challenge in accordance with an aspect 
of the present Invention is illustrated. At 1 01 0, an e-mail 
message is sent. At 1 020, a challenge is received (e.g., 
an embedded code, a computational challenge, a hu- 
man challenge and/^or a request for a micropayment). At 
1030, the challenge is processed. At 1040, a response 
to the challenge is sent. 

[0096] Next, tuming to Rg. 1 1 , a method 1 1 00 for re- 
sponding to challenges In accordance with an aspect of 
the present Invention is illustrated. At 1 1 1 0. e-mail mes- 
sage(s) are sent. At 1 120, challenge(s) are receh^ed (e. 
g,, each challenge having an embedded code, a com- 



putational challenge, a human challenge and/or a re- 
quest for a micropayment). At 1130, the challenge(s) to 
be processed are ordered based, at least in part upon 
message(s] with fewer challenge(s) processed before 

5 message(s) with more chailenge(s) processed [e.g., to 
reduce denial-of-service attacks). At 1140, the chal- 
lenge is processed. At 1 1 50, a response to the selected 
challenge is sent. At 1160, a determination is made as 
to whetherthere are more challenge(s) to process. If the 

f 0 detennlnatlon at 1 1 60 is YES, processing continues at 
1130. if the detemnination at 1160 is NO, no further 
processing occurs. 

[0097] Tuming to Fig. 1 2, an exemplary user interface 
1200 for responding to a plurality of challenges In ac- 
'5 cordance with an aspect of the present invention Is Il- 
lustrated. In this exemplary user interface, a user is 
prompted with the message: 

THE E-MAIL MESSAGE YOU SENT HAS BEEN 
zo DETECTED AS POTENTIAL SPAM. UNLESS YOU 
CORRECTLY RESPOND TO ONE OFTHE CHAL- 
LENGES IDENTIFIED BELOW, THE E-MAIL MES- 
SAGE MAY BE IDENTIFIED AS SPAM AND/OR 
DELETED AS SPAM. 

2S 

[0098] The user is presented with three options: com- 
puter computational challenge, human challenge and 
micropayment. Based, at least in part, upon the user's 
selection, the selected challenge can then be proc- 
30 essed. 

[0099] In order to provide additional context for vari- 
ous aspects of the present Invention, Fig. 13 and the 
following discussion are intended to provide a brief, gen- 
eral description of a suitable operating environment 

35 1310 in which various aspects of the present invention 
may be implemented. While the invention is described 
in the general context of computer-executable instruc- 
tions, such as program modules, executed by one or 
more computers or other devices, those skilled In the art 

<o will recognize that the invention can also be implement- 
ed in combination with other program modules and/or 
as a combination of hardware and software. Generally, 
however, program modules Include routines, programs, 
objects, components, data structures, etc, that perform 

^5 particular tasks or Implement particular data types. The 
operating environment 1310 Is only one example of a 
suitable operating environment and is not intended to 
suggest any limitation as to the scope of use or func- 
tionality of the invention. Other well known computer 

so systems, environments, and/or configurations that may 
be suitable for use with the invention include but are not 
limited to, personal computers, hand-held or laptop de- 
vices, multiprocessor systems, microprocessor-based 
systems, programmable consumer electronics, network 

55 PCs, minteomputers, mainframe computers, distributed 
computing environments that Include the above sys- 
tems or devices, and the Gke. 
[0100] With reference to Fig. 13, an exemplary envl- 
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ronment 1310 for implementing various aspects of the 
invention includes a computer 1312. The computer 
1 31 2 includes a processing unit 1 31 4, a system memory 
1316, and a system bus 1318, The system bus 1318 
couples system components including, but not fimited 
to, the system memory 1316 to the processing unit 
1314. The processing unit 1314 can be any of various 
available processors. Dual microprocessors and other 
multiprocessor architectures alsq can be ennployed as 
the processing unit 1314. 

[0101] The system bus 1318 can be any of several 
types of bus structure(s) including the memory bus or 
memory controller, a peripheral bus or external bus, 
and/or a local bus using any variety of available bus ar- 
chitectures Including, but not limited to, 13'blt bus, In- 
dustrial Standard Architecture (ISA), Micro<^iiannel Ar- 
chitecture (MSA), Extended ISA (EISA), Intelligent Drive 
Electronics (IDE), VESA Local Bus (VLB), Peripheral 
Component Interconnect (PCI), Universal Serial Bus 
(USB), Advanced Graphics Port (AGP), Personal Com- 
puter Memory Card International Association bus (PC- 
MCIA), and Small Computer Systems Interface (SCSI). 
[0102] The system memory 1316 includes volatile 
memory 1320 and nonvolatile memory 1322. The basic 
input/output system (BIOS), containing the basic rou- 
tines to transfer Information between elements within 
the computer 1312, such as during start-up, is stored in 
nonvolatile memory 1 322. By way of Illustration, and not 
limitation, nonvolatile memory 1322 can include read 
only memory (ROM), programmable ROM (PROM), 
electrically programmable ROM (EPROM), electrically 
erasable ROM (EEPROM), or flash memory. Volatile 
memory 1320 includes random access memory (RAM), 
which acts as external cache memory. By way of illus- 
tration and not limitation, RAM is available in many 
forms such as synchronous RAWi (SRAM), dynamic 
RAM (DRAM), synchronous DHMA (SDRAM), double 
data rate SDRAM (DDR SDRAM), enhanced SDRAM 
(ESDRAM). Synchlink DRAM (SLDRAM), and direct 
Rambus RAM (DRRAM). 

[0103] Computer 1312 also Includes removable/non- 
removable, volatile/nonvolatile computer storage me- 
dia. Fig. 13 illustrates, for example a disk storage 1 324. 
Disk storage 1324 includes, but is not limited to, devices 
like a magnetic disk drive, floppy disk drive, tape drive, 
Jaz drive, Zip drive, LS-1 00 drive, flash memory card, 
or memory stick. In addition, disk storage 1324 can in- 
clude stoiBge media separately or In combination with 
other storage media including, but not limited to, an op- 
tical disk drive such as a compact disk ROM device 
(CD-ROM), CD recordable drh^e (CD-R Drive), CD re- 
writable drive (CD-RW Drive) or a digital versatile disk 
ROM drive (DVD-ROM). To facilitate connection of the 
disk storage devices 1324 to the system bus 131 B, a 
removable or non-removable interface is typically used 
such as interface 1326. 

[0104] It is to be appreciated that Fig 13 describes 
software that acts as an intennedbry between users 



and the basic computer resources described in suitable 
operating environment 1 31 0. Such software Includes an 
operating system 1328. Operating system 1328. whfeh 
can be stored on disk storage 1324. acts to control and 
5 allocate resources of the computer system 1312. Sys- 
tem applications 1330 take advantage of the manage- 
ment of resources by operating system 1328 through 
program modules 1332 and program data 1334 stored 
either in system memory 1316 or on disk storage 1324. 
10 It is to be appreciated that the present invention can be 
implemented with various operating systems or combi- 
nations of operating systems. 
[0105] A user enters commands or infomnation Into 
the computer 1 2 through input devlce(s) 1335. Input de- 

15 vices 1 336 include, but are not limited to, a pointing de- 
vice such as a mouse, trackball, stylus, touch pad, key- 
board, microphone, Joystbk, game pad. satellite dish, 
scanner. TV tuner card, digital camera, digital video 
camera, web camera, and the like. These and other in- 

20 put devices connect to the processing unit 1314 through 
the system bus 1 31 8 Wa interface port(s) 1338. Interface 
port(s) 1 338 include, for example, a serial port, a parallel 
port, a game port, and a universal serial bus (USB). Out- 
put device(s) 1 340 use some of the same type of ports 

25 as input devlce(s) 1 336. Thus, for example, a USB port 
may be used to provide input to computer 1312, and to 
output Infomnation from computer 1312 to an output de- 
vice 1340. Output adapter 1342 is provided to Illustrate 
that there are some output devices 1340 like monitors, 

30 speakers, and printers among other output devices 
1340 that require special adapters. The output adapters 
1342 include, by way of illustration and not limitation, 
video and sound cards that provide a means of connec- 
tion between the output device 1 340 and the system bus 

35 1 31 8. It should be noted that otiier devices and/or sys- 
tems of devices provide both Input and output capabili- 
ties such as remote computer(s) 1344. 
P)106] Computer 1312 can operate in a rietworiced 
environment using logical connections to one or more 

40 remote computers, such as remote computer(s) 1344. 
The remote computer(s) 1344 can be a personal com- 
puter, a server, a router, a networic PC, a woricstation, a 
microprocessor based appliance, a peer device or other 
common networic node and the like, and typically In- 

<5 eludes many or all of the elements described relative to 
computer 1312. For purposes of brevity, only a memory 
storage device 1346 is illustrated with remote computer 
(s) 1 344. Remote computer(s) 1 344 is bglcally connect- 
ed to computer 1312 through a network interface 1348 

50 and then physically connected via communication con- 
nection 1350. Network interface 1348 encompasses 
communication networics such as local-area networics 
(LAN) and wide-area networks (WAN). LAN technolo- 
gies include Fiber Distributed Data Interface (FDDI), 

55 Copper Distributed Data Interface (CDDI), Ethernet/ 
IEEE 1302.3. Token Ring/IEEE 1302.5 and the like. 
WAN technologies include, but are not limited to. point- 
to-point links, circuit switching networks like Integrated 
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Services Digital Networks (ISDN) and variations there- 
on, packet switching networks, and Digital Subscriber 
Lines (DSL). 

[0107] Communication connectlon(s) 1350 refers to 
the hardware/software employed to connect the net- 
workinterface 1348 to the bus 1318. While communica- 
tion connection 1350 is shown for iQustrath^e ciarity in- 
side computer 1312. it can also be external to computer 
1312. The hardware/software necessaiy for connection 
to the network interface 1348 includes, for exemplary 
purposes only, internal and extemat technologies such 
as, modems including regular telephone grade mo- 
dems, cable modenns and DSL modems, ISDN adapt- 
ers, and Ethernet cards. 

[0108] What has been described above includes ex- 
amples of the present invention. It Is, of course, not pos- 
sible to describe every conceivable combination of conrv 
ponents or methodologies for purposes of describing 
the present invention, but one of ordinary skill in the ait 
may recognize that many further combinations and per- 
mutations of the present invention are possible. Accord- 
ingly, the present invention is intended to embrace all 
such alterations, modifications and variations that fall 
within the spirit and scope of the appended claims. Fur- 
thermore, to the extent that the tenn "includes" Is used 
in either the detailed description or the claims, such temn 
is intended to be inclusive In a mannersimllartothe temi 
"comprising" as "comprising** is interpreted when em- 
ployed as a transitional word in a claim. 



Claims 

1 . A system facilitating detection of unsolicited e-mail, 
comprising: 

an e-mail component that receives or stores 
messages and receives or computes associat- 
ed probabilities that the e-mail messages are 
spam; and, 

a challenge component that sends a challenge 
to an originator of an e-mail message having 
an associated probability greater than a first 
threshold. 

2. The system of claim 1 , further comprising a mail 
classifier that receives e-mail messages and deter- 
mines the associated probability that the e-mail 
message is spam. 

3. The system of claim 1 , the challenge component 
further modifying the associated probability that the 
e-mail message is spam based, at least in part, up- 
on a response to the challenge. 

4. The system of claim 1 , the challenge being an em- 
bedded code. 



5. The system of claim 1 , the challenge being a com- 
putational challenge. 

6. The system of dalm 5, the computational challenge 
s being a one-way hash of the message Including 

time stamp and recipient stamp. 

7. The system of dalm 1 , the challenge being a human 
challenge. 

10 

8. The system of claim 1 , the challenge being a micro- 
payment request. 

9. The system of daim 1 , a user being given a choice 
IS of challenges, the choice of challenges being based 

upon a fitter. 

10. The system of claim 1 , a difficulty of the challenge 
being based, at feast In part, upon the associated 

^0 probability that the e-mail message is spam. 

11. A system fadlitating detection of unsolicited mes- 
sages, comprising: 

a mail classifier that receives an Incoming mes- 
sage and classifies the incoming message as 
spam or a legitimate message; and, 
a challenge component that sends a challenge 
to a sender of the message if the message is 
30 dassifled as spam. 

12. The system of claim 11, the mall classifier further 
storing the Incoming message in a spam folder or a 
legitimate message folder. 

35 

13. The system of claim 12, the challenge component 
further moving the message from the spam folder 
to the legitimate message folder based, at least in 
part, upon a response to the challenge. 

40 

1 4. The system of dalm 1 1 , the challenge being an em- 
bedded code. 

1 5. The system of dalm 1 1 , the challenge being a com- 
^5 putational challenge. 

16. The system of claim 11 , the challenge being a hu- 
man challenge. 

so 17. The system of c\akt\ 11 , the challenge being a ml- 
cropayment request. 

18. The system of claim 11, further comprising a legiti- 
mate message sender(s) store that stores informa- 

ss tion associated with a sender of legitimate message 
(s). 

19. The system of daim 18, the challenge component 
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adding information associated with the sender of 
the message to the iegitimate message 8ender(s) 
store, if the challenge is responded to correctly. 

20. The system of claim 11 , further comprising a spam s 
sender(s) store that stores Information associated 
with a sender of spam. 

21. A system facilitating detection of unsolicited e-mail, 
comprising: io 

a mall classifier that receives an Incoming e- 
mail message and classifies the incoming e- 
mail message as spam, questionable spam or 
legitimate eHnail; and, is 
a challenge component that sends a challenge 
to a sender of an e-mail message classified as 
questionable spam. 

22. The system bf claim 21 , the mail classifier further 20 
storing the incoming e-mail message in a spam fold- 
er, a questionable spam or a legitimate mail folder. 

23. The system of claim 22, the challenge component 
further moving the e-mail message from the ques- 25 
tlonable spam folder to the spam folder or the legit- 
imate mail folder based, at least in part, upon a re- 
sponse to the challenge. 

24. The system of claim 21 , the challenge being at least 30 
one of an embedded code, a computational chal- 
lenge, a human challenge and a micropayment re- 
quest. 

25. The system of dalm 21 further comprising a legiti- ss 
mate e-mail sender(s) store that stores information 
associated with a sender of legitimate e-mail. 

26. The system of claim 21 , further comprising a spam 
sender(s) store that stores information associated 40 
with a sender of spam. 

27. The system of claim 21 , the e-mail message includ- 
ing a per recipient ID. 

45 

28. The system of claim 21 , the challenge component 
further adapted to detect whether the e-mail mes- 
sage Is from a mailing list. 

29. The system of claim 28, the challenge component so 
further adapted to detect whether the mailing list is 
moderated or unmoderated. 

30. A method for detecting unsolicited e-mail, compris- 
ing: 55 

sending a challenge to a sender of an e-mail 
message classified as questionable spam; 



receiving a response to the challenge; and. 
modifying the classification of the e-mail mes- 
sage based, at least In part, upon the response 
to the challenge. 

31 . The method of claim 30, further comprising at least 
one of the following acts, receiving the e-mail mes- 
sage; 

classifying the e-mail message as spam, 
questionable spam or legitimate e-mail; 

determlning whether the sender Is stored In a 
legitimate e-mail sender(s) store; and, 

detemilning whether the sender Is in a spam 
sender(s) store. 

32. The method of claim 30, the challenge being at least 
one of an embedded code, a computational chal- 
lenge, a human challenge and a micropayment re- 
quest. 

33. A method for responding to e-mail challenges, com- 
prising: 

receiving challenges to e-mail messages; 
ordering the challenges based, at least in part, 
upon a message with fewer challenges proc- 
essed before a message with more challenges; 
processing the challenge of the message with 
fewer challenges; and, 

sending a response to the challenge of the 
message with fewer challenges. 

34. A data packet transmitted between two or more 
computer components that facilitates unsolicited e- 
mail detection, the data packet comprising: 

a data field comprising information associated 
with a challenge, the challenge being based, at 
least in part, upon an associated probability 
that an e-mail message is spam. 

35. A computer readable medium storing computer ex- 
ecutable components of a system facilitating detec- 
tion of unsolicited e-mall, comprising: 

a mall classifier component that receh/es e-mail 
messages and determines an associated prob- 
ability that the e-mail message is spam; and, 
a challenge component that sends a challenge 
to a sender of an e-mail message having an as- 
sociated probability greater than a first thresh- 
old. 

36. A system facilitating detection of unsolicited e-mail, 
comprising: 

means for determining an associated probabil- 
ity that an e-nnall message Is spam; and, 
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means for sending a challenge to a sender of 
an e-mail message having an associated prol>- 
abilfty greater than a first threshold. 
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